Saturday, December 6, 2014

I've been exploring HTTP encryption configurations lately on an industry-scale using an automated SSL/TLS scanner that I wrote based on OpenSSL and SSLScan. Here are the SSL/TLS configurations of the top 25 US banks. It is good to note that just about everyone seems to have their crypto-house in order.

Observation: The majority of banks only support TLS - no SSL. The remaining support SSLv3 and TLS. No SSLv2.

Observation: No key lengths less than 128-bit. This is good. Over time, I expect that we'll see a decrease in 128-bit keys and an increase in 256-bit keys.

Saturday, November 15, 2014

I've decided that every compromise - J.P. Morgan, Target, Home Depot, Dairy Queen, USPS - hurts everyone. Why? Because every profitable compromise attracts more resources to cybercrime, raising the threat level that every organization has to deal with.

At the root of every enterprise is investment - to fund research and development, operations, and so forth. This got me thinking - at what level would a venture capitalist fund cybercrime and how would different levels of revenue affect that level of investment. Let's use $2.5 billion as our baseline revenue level, because that what Group iB, a cybercrime investigations and research company, has pegged the Russian cybercrime revenue at in their report.

The basic venture capital formula determines the level of investment based on the projected future value of the investment (Future Value), the required required rate of return (IRR), and the number of years until that future value is realized (years). It all comes together in the formula show below.

Let's say that an enterprising criminal proposed to our venture capitalist a cybercrime enterprise that would be generating $2.5 billion in 5 years. The venture capitalist, seeing the risk in the enterprise requires an annual return of 75% and assumes the enterprise will be worth three-times revenue. In such a scenario, our venture capitalist would be willing to invest about $1.4 billion.

Let's assume that the criminals boost their revenue forecast to $3.5 billion because organizations are failing in their defenses even more frequently. Our venture capitalist revalues her level of investment and now is willing to invest nearly $2 billion.

Alternatively, what if revenue dropped to $1.5 billion because companies are being more successful in defending their assets? Now our investor is only willing to invest $840 million.

The point is every profitable compromise attracts more resources pursuing profits.

The threat level that every organization has to deal with is directly proportional to the global resources being invested in cybercrime. So, when Target or HomeDepot or J.P. Morgan get compromised, everyone gets compromised because each of these events attracts more resources. These resources go towards development of new exploit methods, compromise operations, and cash out operations.

So what does this mean? Ultimately, we have to starve the criminals of revenue so that the investment trends will reverse from growth to decline. First, take care of your own house so that you aren't contributing to the cybercrime revenue. And second, help out your neighbors so that they don't get compromised - because it matters. Crime begets crime. And if you live in a neighborhood where there is a lot of crime, eventually you are going to get compromised.

Monday, October 6, 2014

The NRA operates 144 distinct websites, by my count. You can learn a lot about the NRA just from their site hostnames. For example, who knew that the NRA sells hearing aids? Yep, www.nrahearingbenfits.com. And apparently they are in the prescription drug business too! www.nrarx.com. Other more well known facts include that the NRA does not like Obama (www.gunbanobama.com), and they aren't fond of Michael Bloomberg either (www.meetbloomberg.com).

Here is a visualization I created of the NRA's sites and their inter-relationships. I created this using Gephi with the Force Atlas 2 module.

Sunday, September 7, 2014

Each Fall I am a guest speaker for Brigham Young University's Information Security graduate program. Much of the time is spent fielding questions of students. Last week, one student asked, "What should I be doing to ensure I can land a good technical job in Information Security?" Rather than answer right then, I asked if I could answer through a blog post. So here it is.

Assess the security of networks, systems and web apps. Information Security is about protecting assets from unauthorized access and destruction. To be a good security practitioner you have to be familiar with the tactics and techniques for compromising systems. This will enable you to assess your own systems for vulnerabilities, as well as improve your ability to design and operate preventative and detective security controls. Get going on web application hacking with the OWASP WebGoat application, an intentionally insecure web application. Scan your own network and others you can get permission to assess using mmap, nessus, and other tools.

SecTools.org has a good listing of security software for assessing networks. Get familiar with these tools. Use them.

Code. Pick a language - whichever you prefer. And learn to code reasonably well. I am strongly of the opinion that you have to know how to code in order to know how computers work and how to secure them. Learn by building something. Pick a project and code it up, preferably something with network communication involved. Code a port scanner. Code a web application security scanner. There are a hundred out there, but by building your own you will develop expertise in that security domain.

Resources for learning to code: Codeacademy for getting going on the basics, Google searches and stackoverflow for when you get stuck.

Stand up and operate a small network that is Internet accessible. You have to know networking and you have to know what happens to networks on the Internet. Get a used Cisco switch and use its capabilities to log and control access. Fire up Wireshark and learn the networking protocols.

Run a network IDS on your network. This will open your eyes to the attacks occurring on the Internet and get you into intrusion detection and response. Use Suricata or Snort.

Wrangle and analyze data. Data collection and analytics is increasingly important in Information Security. Know how to work your way around relational databases, NoSQL databases, and stretch for Hadoop if you have time. I recommend getting going with MySQL or PostGreSQL and Mongo. Use one of these databases in your coding project. Also, use a database to store and analyze traffic from your network.

Read. Set up an RSS reader such as Feedly and load it with Information Security research and general news sources. Also, stay up on the industry or industries you are interested in practicing information security. InfoSec doesn't exist in a vacuum. Know the context in which you want to practice Information Security well. Reading will also help you shape an increasingly integral picture of Information Security trends and inter-relationships.

Write. Your ability to communicate well will determine the scope of responsibility you take on in your career. Write up your research. Post it to a blog. Present it at a conference. Be a student of writing well. If you have only one book on writing, get The Elements of Style by Strunk and White. Essential.

Monday, September 1, 2014

Friday, August 15, 2014

The silent speed of a bike.
The bike is what I need it to be - a place of peace, a place of pain, a place of peace through pain.
It moves me.
There is something about the act of balancing on two wheels that brings about a sense of well being.
It is the most elegant machine man ever made.
It takes me places I wouldn't otherwise go.
Cyclists are just good people.
The rhythm of riding.
Drafting a car down 224 at 48 mph.
The easy access to endorphins a bike provides.
It gets me close to nature.
It makes me feel good.
The camaraderie of riding with friends.
The speed of a good pace line.
The climb up Wolf Creek Pass on an August evening.
The absolute heavenly feeling of coasting down an empty road with no hands and eyes closed.
The youthful, playful feeling it evokes.
The pain.
The peace.
The joy.

My thoughts on what a top-notch security professional looks like. Contact me if you think you are this professional, or you want to become this professional :-)

Is expert in the field of threat intelligence and response, deeply knowledgable of a wide range of technologies and methods for collecting and acting on threat intelligence. Is expert in networking protocols. Is capable of rapidly crafting custom detection signatures to detect attacks for which no signatures exist. Is capable of creating custom threat intelligence and response systems to fill gaps where commercial systems are sub-optimal or non-existent. Is expert in identifying attacks within network traffic, effectively filtering signal from noise such that false positives and false negatives are very low. Expert in navigating complex enterprise computing and network environments. Is able to discern the magnitude of threats. Is competent in analyzing large amounts of data and building software to automate analysis.

Is self-motivated, requiring only high-level strategic direction. Does not require day-to-day instruction. Knows what needs to be done based on the strategic objectives and actions of the threat actors and changes occurring in the environment. Initiates projects to progress the effectiveness of the threat intelligence program, inventing and enhancing threat intelligence systems and methods. These systems and methods serve as the foundation through which others fulfill collection, detection, analysis, and response work. Is a source of strong program and technical influence to others in the team. Mentors others in the team in the craft of threat intelligence and response. Has strong connections in the financial threat intelligence industry and leverages those connections to gain better intelligence and to learn better methods of threat intelligence and response. Is an effective communicator, both verbal and written.

Is highly productive in detecting and responding to threats and in creating frameworks that improve the effectiveness and efficiency in which others detect and respond to threats. Capability to rapidly context switch a must.

Typically has 10+ years in information security, with a three or more years in threat intelligence and response. Is highly competent in skills necessary for effective threat intelligence, including network routing, network protocols, system engineering, protocol analysis, attack signature development, coding, and data analysis.

Tuesday, July 1, 2014

Information Security professionals commonly define risk in one of two ways:

The expected loss over a given period of time

Risk = threat * vulnerability * impact

Compare this to the way risk is explained in Wikipedia. "Risk is the potential of losing something of value, weighed against the potential to gain something of value." It is the old adage "nothing ventured, nothing gained." Andy Ellis, the CSO of Akamai Technologies, describes it this way. "Our businesses are in the business of taking risks. That's what we do for a living. We spend money in hopes of making more money."

Do you see the problem with the InfoSec risk definition? InfoSec risk is focused on loss - analyzing and minimizing bad outcomes. Real risk is focused on the difference between expected gain and the expected loss. Too often Information Security minimizes bad outcome potential to the extent that it causes greater harm to the gain potential. Have you heard this before? "We can't move to the cloud. Too many unknowns. Too risky." I've heard the same said about SaaS, outsourcing, mobile applications, employee mobility, web services. Really? Were these the same people who said that we can't use email a couple decades ago or that we can't offer online banking?

If Information Security truly internalized a new risk definition that properly balanced the loss potential and the gain potential, we would be more effective in supporting our businesses. Maybe it would cause us to shift to being enablers of rapid adoption of better / faster / cheaper business technology models. Yes, there is profit to be made by properly reducing loss potential. There is also profit to be made on maximizing upside potential. Let's be a proper voice for that equation. If we do, then we'll probably see ourselves march in to some unknowns faster and probably see some traditionally moderate and high residual risk systems go in to production because the gain possibility is so great.

So lets adopt the wikipedia risk definition. Besides, it is what everyone else is using anyway.

"Risk is the potential of losing something of value, weighed against the potential to gain something of value."

And hey, who wants to work at a shop that doesn't run email or a web site anyway?

BTW - I took the risk of jumping off a cliff into the Pacific Ocean today and the reward was great.

Saturday, June 21, 2014

In Information Security, the rapidly escalating and innovating threat actors coupled with the ever changing business technology architecture have changed the security game forever. Preventative controls are increasingly less effective in mitigating threats and they are too cumbersome to keep up with the pace of technology change. This shift necessitates a shifting of balance from preventative control focus to rapid security intelligence and response.

"...counter insurgency is at heart an adaptation battle: a struggle to rapidly develop and learn new techniques and apply them in a fast-moving, high-threat environment, bringing them to bear before the enemy can evolve in response, and rapidly changing them as the the environment shifts." (Counterinsurgency page 2).

The Twenty-Eight Articles was written by Mr Kilcullen at the U.S. State Department and DoD and is based on his extensive experience as a senior advisor on the ground in the Iraq and Afghanistan wars. His Articles are what he observed to be essential to successful counterinsurgency. Here is what I took away. All quotes are from the book, which also contains the 28 Articles.

Article 1: Know your turf.

"Your task is to become the world expert on your district. If you don't know precisely where you will be operating, study the general area. Read the map like a book: study it every night before sleep and redraw it from memory every morning, until you understand its patterns intuitively." (Counterinsurgency page 30).

In Information Security, this is knowing your network and your systems and your applications. What they are, what they store, how they communicate, what their accessibility is, who is accessing them, and so forth. It is Nmap coupled with net flow data coupled with the asset risk catalog coupled with vuln scan information coupled with firewall logs and security event logs and fraud activity.

Article 2: Diagnose the problem

This is threat analysis based on real data and reliable intelligence. It isn't a physics class, hypothetical, assume a vacuum scenario. It is real and the decisions are made in the real world. It is the root of good security decisions. It is the process of deterring the likelihood of harmful things occurring to your assets - who will do what to the systems. This information, coupled with the value of each of your systems, forms the basis for making sound security decisions.

Article 3: Organize for intelligence

"Your operations will be intelligence driven, but intelligence will come mostly from your own operations, not as a produce prepared and served up by higher headquarters. So you must organize for intelligence."

In post earlier this year, I wrote that your environment has all the data you need to answer your security questions.

"Almost everything in counterinsurgency is interagency." David continues, "Train the company in interagency operations -- get a briefing from the State Department, aid agency, and the local police or fire brigade. Train point me in each squad to deal with the interagency." (Counterinsurgency page 32)

In InfoSec, the interagency is the business and your IT associates to support the business objectives. It is being able to work effectively across organizational boundaries to secure and collect data from networking infrastructure and systems, working with the development team to write secure code and integrating security test cases in the QA cycle. It is working with all of these organizations and Public Relations to effectively respond to events.

It is working with product teams to understand their objectives and to quickly develop security solutions to enable them to move quickly. It is being solution-ready for emerging technologies that will enable the company to more efficiently and effectively serve the customer.

Article 5: Travel light and harden your Combat Service Support

"Unless you ruthlessly lighten your load and enforce a culture of speed and mobility, the insurgents will consistently outrun and outmaneuver you." (Counterinsurgency page 33)

This is about having an adaptable security architecture that can be quickly adjusted to address threat. These are inherently solutions that are intelligence centric systems that can learn themselves and learn from the engineer operating them.

Article 6: Find a political/cultural adviser

Be "able to speak the language and navigate the intricacies of local politics." (Counterinsurgency page 33)

Information Security serves the organization that employs it. This is about being connected to the business and enabling the business strategy. It is about bringing the Executive team to the proper level of understanding of threats and risks to their organization in their language.

Article 7: Train squad leaders, the trust them

"Ruthlessly replace leaders who do not make the grade." (Counterinsurgency page 34)

Article 8: Rank is nothing: talent is everything

"Rank matters far less than talent - a few good men under a smart junior NCO can succeed in counterinsurgency, where hundreds of well-armed soldiers under a mediocre senior office will fail." (Counterinsurgency page 34)

This applies to vendors as much as it does people. I've seen talented small teams dramatically cut costs because the commercial software solutions were really just a poor patch for lack of talent. This video illustrates it well....

Article 10: Be there

"If you are not present when an incident happens, there is usually little you can do about it. So your first order of business is to establish presence." (Counterinsurgency page 35)

This is security intelligence and event monitoring so that you can minimize the gap between the time of the initial incident and the response. Wait too long, and the data or the money is gone. Sadly, Mandiant reported that for incidents they were involved in handling the threat groups were present on the systems a median of 229 days.

This is also about being integrated in to the businesses plan, build, operate cycle so that you can influence direction early in the process rather than complaining and scrambling after the products are built.

Article 16: Practice deterrent patrolling

I've seen it done so well, that banking trojan campaigns and associated fraud has fallen off for weeks because the best proactively lure and take down the miscreants. This is also about advanced threat intelligence so that you are resilient to even the newest attack campaigns. This means being in the enemy camp gathering intel and being trusted professionals with your business competitors such that you can share information quickly and without friction of legal qualifications.

Article 17: Be prepared for setbacks

Article 20: Take stock regularly

"Use metrics intelligently to form an overall impression of progress - not in a mechanistic "traffic light" fashion. (Counterinsurgency page 41)

Metrics that matter. The metrics that matter here are those that inform you about the enemy and your capability in resisting them and where controls are worth it and where they are not. They also measure how well you are serving the business. I'll do a post on this in the near future.

Sunday, June 15, 2014

Two words to describe this trail - steep and rocky. I saw a few guys on 4-wheelers. No dirt bikers. This is indicative of what you are riding. Long and steep and rocky. I stalled a few times here. Lots of weight on the rear tire is required.

This is looking down a steep rocky, switchback section. I have yet to ride this without dumping my bike. This time it cost me my front brake lever. A while ago, it cost my friend a hole in his crank case. Goal: ride this without stalling and without dumping.

The top has some fun stuff where you can spend a bit of time in 4th gear. Trust me, you'll never hit 5th.

After getting back down, I buzzed up Beaver Creek, just across the highway. Finally, 5th gear.

Saturday, June 14, 2014

This paper is a threat report derived from the 31 information security threat reports published in 2014. Basically, I read all of the
2014 threat reports so you don’t have to. This document contains the best parts of the threat reports. I’ve also listed all
the reports included in the review and enumerated the best reports incase you want to read some of them yourself.

...organizations should not ignore a
solution as straightforward as anti-virus since it can reduce virus threats by
almost 50%. (NTT Group)

The catachresis of
malware is being carried out by both state and non-state players where the
objectives vary from monetization to creation of espionage networks and
stealing of information. (Quick Heal)

Windows XP
will still be targeted while its support life cycle is ending in year 2014. (Dell)

Strong Software Security Driving Increased Social Engineering

The next two or three years
may bear witness to a divergence in the threat landscape; as people move to
newer, more secure operating systems and modern web browsers, it will naturally
become more easy to avoid falling victim to a casual malware attack. The
success or failure of these attacks will be increasingly determined by the
level of social engineering involved, which in turn may drastically affect the
overall shape of the online security landscape.(Symantec)

Spear Phishing and Watering Hole Attacks

Spear phishing is still the
most common delivery mechanism for targeted intrusion operations; however, the
frequency of Strategic Web Compromise (watering hole) operations is increasing.
CrowdStrike believes that this tactic will remain popular among targeted
intrusion adversaries, and its use will likely continue to increase in
frequency. (CrowdStrike)

In 2014, cybercriminals will
increasingly use targeted-attack-type methodologies. Doing open source research
and spear phishing will become a norm even for cybercriminals. (TrendMicro)

Third-Party Compromise Vector

Expect to see adversaries
targeting third-party vendors in an attempt to compromise the ultimate target.
Vendors often have less-robust security than their larger customers, and their
networks offer an avenue through which those customers can be compromised. (CrowdStrike)

New gTLDs Increase Effectiveness of Phishing

We predict that 2014 will see
a great deal of activity around ICANN’s new generic top-level domains (gTLDs).
These gTLDs will be used by adversaries to support more effective phishing
attacks. (CrowdStrike)

Increase in Malware use of Encryption

In 2014, we will see a rise
in malware that uses SSL and custom encryption methods in order to communicate
with remote servers for beaconing, receiving C2 commands, performing data
exfiltration, etc. (CrowdStrike)

Decrease in Public Vulnerability Disclosure, Increase in Black Market
Exploits

The past couple of years saw
a surge in bug bounty programs from companies such as Microsoft, Yahoo!, and
PayPal, and a corresponding decline in public disclosures of vulnerabilities.
This trend will continue in 2014 with an increase in black market activity of
newly discovered vulnerabilities and newly developed exploits. As the black
market activity increases, so will the demand for custom-made malware
(CrowdStrike)

Small Attack Groups – Hit and Run

Icefog is part of an emerging
trend that we’re seeing – attacks by small groups of cyber-mercenaries who
conduct small hit-and-run attacks
(Kaspersky)

The number of distinct [phishing]
campaigns identified by Symantec is up by 91 percent compared to 2012, and
almost six times higher compared to 2011. However, the average number of
attacks per campaign has dropped, down 76 percent when compared to 2012 and 62
percent from 2011. This indicates that while each attack campaign is smaller, there
have been many more of them in 2013. (Symantec)

In 2014, cybercriminals
will increasingly use targeted-attack-type methodologies. Doing open source
research and spear phishing will become a norm even for cybercriminals. (TrendMicro)

Rise of the Cyber Mercenary

It is highly likely that
cyber-mercenary services will be provided by IT specialists who have never
before been engaged in criminal activity.
(Kaspersky)

Fragmentation of the Internet

At the same time, the
Internet has begun to break up into national segments. Until recently this only
really applied to the Great Firewall of China. Several countries, including
Russia, have adopted or are planning to adopt legislation prohibiting the use
of foreign services. The World Wide Web has begun to break up into pieces.
Individual countries are no longer willing to let a single byte of information
out of their networks. These aspirations will grow ever stronger and
legislative restrictions will inevitably transform into technical prohibitions.
The next step will most likely be attempts to limit foreign access to data
inside a country. (Kaspersky)

Increasing Criminal Darknets

Cybercriminals will go
“deeper” underground next year. The Deep Web offers anonymity through
“darknets,” a class of networks that guarantee anonymous and untraceable
access. (TrendMicro)

Windows XP Targeting

With Windows XP reaching
end-of-life after 12 years, it will become a huge target for attackers.
(Sophos)

Big Data

Big data is big money and
unless the right security steps are taken it’s all available for an
enterprising cybercriminal. (Referring
to criminals getting in to the data collection and brokering business) (Symantec)

As the use of such big data
analytics spreads, attackers will have to find ways to hide from statistical analysis
and anomaly detection. (NTT)

“How do we know that the data
used for analytics has not been polluted?” Lee asked. “This threat represents a
battle that we will have to fight in the next five to ten years.” (NTT)

Internet of Things

“Over the next five
years, you will see a plethora of devices connected to your home or business
network,” said Andrew Howard, a research scientist with the Georgia Tech
Research Institute (GTRI). “And these can be used as avenues for attack.”

Sandbox Aware Malware

As more security
technologies increase their reliance on sandboxes for malware analysis,
CrowdStrike foresees an increase in sandbox-aware malware.

Saturday, May 24, 2014

I Googled 'threat report' and quickly found 42 threat reports. I'm going to read everyone of these and rank them. So if my next post is nonsensical it is because I scrambled my brain reading this stuff.

Monday, May 19, 2014

The snow is great, but the dirt is better. 59,430 square miles of public land. Lots of dirt roads and trails. That means an endless supply of moto terrain!

Sunday morning I started into a quick search for OHV maps of Utah. I found 50! Here is, as far as I know, the only single site that contains links to all the google-findable Utah OHV maps. So, if you want to get lost, here are the maps to take you there. And when you do get lost, you just might find yourself in a place like this :-)

Which employees have the worst security behavior?

Ever wonder which employee has the worst security behavior? New employees come in to the organization and get training in information security. They are instructed about the hazards of clicking on links in email messages from unexpected senders, the risks of using web mail and file sharing sites at work, and the potential liability of storing sensitive data on external media.

You send them out into the world to do good things, but you know that one of them is really going to cause big security problems. Looking at them as they leave the class, you are certain it is going to be one of the guys in the far left column.

Back in the trenches, the security engineers and analysts are fighting the good fight of malware infections, bot nets, unsecured servers and hosts, broken security software, lost devices, attacks against the perimeter. Lots of activity. From whom is it stemming? If you could just get to the root ....who is causing these problems? Then you remember reading those cool posts on www.dieselcafe.com where you learned that you have all the data you need to answer your security questions.

Rolling up your sleeves, you determine that in order to identify the person who has the worst security behavior is going to require Active Directory (for employee information), the web gateway event logs (who is hitting high risk categories), the AV logs (who is getting the malware alerts), the system management logs (tells you patch levels and apps installed on systems), and the network vuln scan data.

You set up ETL jobs to periodically pull this data from its various sources in to your PostGres database and you bind the data together using hostnames and IP addresses from the DNS logs.

You crunch the data - looking at a simple count of security events by employee over the last three months and are surprised but not surprised that 90% of your security problems come from 1% of your users.

So you dive in and create the reports that will drive action in the organization and come up with something like this...

Armed with this, you know who the worst security actors are in the company. Starting with the biggest offenders, your team provides individual training to get the worst right. You see the curve flatten over time. You are proud of yourself. But then, you ask yourself, "Am I asking the right question?"

Which employees expose the organization to the greatest risk?

What you really care about is which employees expose the organization to the greatest risk. To figure that out you decide you need to tie in the security behavior score you've developed with the user access permissions and the system risk ratings. You have a centralized store of user system access permissions because you do periodic access permission certifications. And you have a database of the risk profile for each of those systems because of your risk management program.

Adding these together with the security behavior scoring that you already did...

Some tweaks to your report. Done! As it turns out, some of the people with better security behavior do need some attention, like Enoch Root, your CFO!

And by the way, it turns out that this guy is the one who was causing you all the grief :)